On 22/06/2023 00:17, Stefan Mayr wrote:
Hi,
Am 21.06.2023 um 12:20 schrieb Mark Thomas:
CVE-2023-34981 Apache Tomcat - Information disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M5
Apache Tomcat 10.1.8
Apache Tomcat 9.0.74
Apache Tomcat 8.5.88
Description:
The fix for bug 66512 introduced a regression that was fixed as bug
66591. The regression meant that, if a response did not have any HTTP
headers set, no AJP SEND_HEADERS message would be sent which in turn
meant that at least one AJP based proxy (mod_proxy_ajp) would use the
response headers from the previous request for the current request
leading to an information leak.
> ...
Are setups with mod_jk also affected?
Almost certainly but it wasn't explicitly tested.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org